Connecting the New World with the Old World via Commerce and Dialog

Tag: Third Department

This news summary was originally dispatched as part of Epoch Times China email newsletters. Subscribe to the newsletters by filling your email in the “China D-brief” box under this article, or sign up here.
One of the most important developments in recent history for China’s military took place last month, and it was easy to miss.
The Chinese Communist Party (CCP) ordered its military to abandon its business ventures over the next three years. The order applies to the People’s Liberation Army and the People’s Armed Police.
Those who follow Epoch Times reporting know the implications of this run deep. As my colleague Matthew Robertson pointed out, this will notably close the military-run hospitals which carry out the CCP’s forced organ transplants of prisoners of conscience—most markedly Falun Gong practitioners.
Robertson profiled the operations of one of these hospitals, Tianjin First Central, in an investigative piece in February, and noted “Epoch Times found sufficient evidence to throw into great doubt, if not demolish entirely, the official narrative of organ sourcing in China. This is simply due to the number of transplants: they are far too high.”
But the implications of the new order for the Chinese military run deeper still, as the order will very likely also impact the Chinese military’s use of cyberattacks for financial gain.
I’m not talking about the state-sanctioned cyberattacks, but instead the cyberattacks military commanders run to feed business ventures they have ties to, and the cyberattacks individual military hackers carry out to stuff their own pockets.
I mapped out China’s military-industrial complex in a September 2015 investigative report, and noted that until recently the Chinese military was expected to find external ventures to fund its operations.
I also detailed in March the DarkNet marketplaces that Chinese military hackers run to make money on the side. The hackers have been carrying out the state-run cyberattacks on behalf of the Chinese regime, but have also been stealing additional information they can sell personally.
Under the new orders, it’s likely these external ventures will gradually lessen, and we could see a significant drop in Chinese cyberattacks.
Of course, this doesn’t mean the state-sponsored cyberattacks will stop. It just means the military-led cyberattacks the Chinese regime doesn’t have a direct hand in could be coming to an end.
This process has actually been underway for some time. In September 2015, the leader of the Chinese Communist Party, Xi Jinping, announced he would cut 300,000 troops from the Chinese military. This was accompanied by a planned restructuring of the Chinese military.
I reported in November 2015 that there was more to this restructuring than meets the eye. A proposal for the new structure shows that it would move the military units that carry out the cyberattacks out from under strict military control, and put them under joint command between the Central Military Commission and the State Council.
In other words, the restructuring would give the “government” side of the Chinese regime–the state council–more oversight over the types of cyberoperations being carried out by the military.
Read MoreAgreement on Cyberattacks Will Not Stop China’s Economic Theft
On May 16, the Chinese regime also deployed “anti-graft” squads to different theater commands and “key military departments,” according to the state-run Global Times. Under the oversight of these 10 anti-graft squads, it states, these targeted commands and departments will “for the first time be accountable to top military authorities.”
This won’t all happen overnight, however. The state-run China Daily reported on May 10 that the People’s Liberation Army and People’s Armed Police have started by selecting 17 units to close their commercial activities.
With plans to complete this process within three years, it notes the 17 units are “tasked with exploring effective ways to shut down businesses.”

This news analysis was originally dispatched as part of Epoch Times China email newsletters. Subscribe to the newsletters by filling your email in the “China D-brief” box under this article.
There have been four cases of Chinese espionage against the United States in just the last three weeks. These haven’t been the run-of-the-mill cyberspies either; these are Cold War-style cases of individuals allegedly caught spying on behalf of a communist regime.
Three of the cases involved people trying to steal nuclear technology. Another involved the theft of cutting-edge technology for unmanned submarines.
The first case garnered the most attention. On April 8, the U.S. military held the first hearing on the case of Lt. Cmdr. Edward Chieh-Liang Lin. The U.S. military officer and Taiwanese immigrant served as a “nuclear-trained enlisted sailor” and as a signals intelligence expert, and was allegedly spying on behalf of Taiwan and Mainland China.
Just five days later, a Chinese citizen, Fuyi “Frank” Sun, 52, was arrested in New York for trying to obtain sensitive carbon fiber used in nuclear centrifuges. Sun allegedly told undercover agents he worked for the Chinese regime’s missile program and had close ties to the Chinese military.
The next day, on April 14, another individual was indicted, alongside a Chinese state-owned nuclear power company, in a conspiracy case in Tennessee. Szuhsiung “Allen” Ho was allegedly acting on behalf of the state-run company to illegally transfer nuclear materials to China.
Then, just seven days later on April 21, Amin Yu, 53, was charged in Florida for “acting as an illegal agent” for China and trying to steal sensitive technology, including for unmanned underwater vehicles.
If the tables were turned, and four American spies were caught spying on another country—especially if it were in the course of a few weeks—it would be an international scandal. But with China, the world seems to have gotten somewhat desensitized to its brazen use of espionage.
In fact, only two of the cases were broadly covered by U.S. news outlets.
The unfortunate fact is that there are so many cases of Chinese espionage against the United States—both using cyberattacks and human spies—that they’ve begun to blend in with each other.
Chinese espionage has become the “dog bites man” story, where cases are so common that they’ve lost their shock value. People are no longer surprised by the cases, and so many news outlets seem to gloss over them.
But the importance of these cases is no less significant than it was during the Cold War, and the frequency of spy cases coming out of China isn’t a whole lot different.
The fact is that while China’s use of cyberattacks for espionage has taken center stage, it also has a very large system for conventional espionage—and its spies on both ends will often work together.
The Chinese military’s two main departments for this type of espionage are overseen by its General Staff Department. The cyberattacks are run under its Third Department, which handles signals intelligence (SIGINT); while its human intelligence (HUMINT) operations are carried out by its Second Department.
Epoch Times reported previously that the Chinese regime has between 250,000 and 300,000 soldiers under its Third Department dedicated to cyberespionage. Its Second Department has between 30,000 and 50,000 human spies working on insider operations.
The Chinese military also runs more than 3,200 military front companies in the United States, which are dedicated to theft. The information was revealed by the FBI’s former deputy director for counterintelligence, in a 2010 report from the U.S. Defense Threat Reduction Agency.
MORE:Murder, Money, and Spies Investigative Series
With these numbers in mind, it’s important to point out that even though cases of Chinese espionage (both SIGINT and HUMINT) are regularly exposed, the cases brought to light are just a drop in the ocean compared to the broader picture of what’s taking place.
There is also a lot of overlap between China’s use of cyberattacks and human spies. Sources told Epoch Times in a previous interview that Chinese cyberspies will even at times launch cyberattacks to cover the tracks of spies working as insiders in U.S. businesses and government agencies.
The rationale of using human intelligence operatives was explained well in a previous interview with Jarrett Kolthoff, president of cyber counterintelligence company SpearTip and a former special agent in U.S. Army counterintelligence.
Kolthoff told Epoch Times that Chinese spies are interested in “quantity first, quality second,” and often grab everything they can. He said they look for whatever approach is most effective for reaching this goal, and they “determine that it’s much easier to obtain the information through a rogue insider, or a trusted insider who is working for someone else.”
He said that while the human spy is at work, cyberspies will then launch attacks as a ruse, and this makes it appear the information was stolen through a cyberattack instead of an insider. This prevents the company or agency from searching for the insider spy, and Kolthoff noted “it’s very, very effective.”

I had the pleasure of speaking at Pace University’s recent Threat Intelligence Forum about what’s really behind Chinese cyberespionage, and I thought it would be useful to replicate that talk here.
There are enough Chinese cyberattacks where it’s fair to say most of us are familiar with the surface picture. There were close to 700 Chinese cyberattacks designed to steal corporate or military secrets in the United States between 2009 and 2014, according to an NSA map released by NBC News.
It’s also important to note the attacks designed for economic theft are only a small piece of the larger picture. Many Chinese cyberattacks are designed to spy on dissidents living abroad, keep tabs on foreign news outlets, spy on governments, or to censor individuals and organizations that are critical of the Chinese regime.
In March, for example, it launched cyberattacks on the anti-censorship website GreatFire.org. In June, it stole 21.5 million background checks from the U.S. Office of Personnel Management on current and former federal employees. In September, the Chinese regime was caught spying on the U.S. government and European news outlets.
The attacks designed for economic theft usually get the most attention—and with good reason. Retired federal prosecutor David Loche Hall explained the economic seriousness of these attacks in his recent book, “Crack99.”
There are 75 industries in the United States identified as intellectual property (IP) intensive, according to Hall. These industries hold 27.1 million American jobs, or 18.8 percent of all employment. Each of these jobs also supports one additional job through the supply chain.
So, when you look at the whole picture, close to 40 million jobs, or 27.7 percent of all employment in the United States, relies on protection of IP. And it’s this IP that the Chinese regime has been stealing with cyberattacks.
Close to $300 billion and 1.2 million American jobs are lost each year to IP theft, according to the Commission on the Theft of Intellectual Property.
“When this innovation is meant to drive revenue, profit, and jobs for at least 10 years, we are losing the equivalent of $5 trillion out of the U.S. economy every year to economic espionage,” said Casey Fleming, CEO of BLACKOPS Partners Corporation, in a previous interview with Epoch Times.
MORE:CHINA SECURITY: China Reaps What It Sows, as Paranoid North Korea Lashes OutCHINA SECURITY: In Cybersecurity, the Chinese Regime Has Become the Boy Who Cried Wolf
BLACKOPS Partners Corporation provides intelligence and cyber strategy to the Fortune 500. He emphasized that to understand the impact of economic theft, you need to look at the full economic life cycle of raw innovation, including trade secrets, research and development, and information for competitive advantage.
Chinese cyberattacks are also a lot different from other cyberattacks, and this is why experts often place them under a different category.
Cybersecurity company MANDIANT wrote in 2010, “These intrusions appear to be conducted by well-funded, organized groups of attackers. We call them the ‘Advanced Persistent Threat’—the APT—and they are not ‘hackers.’ Their motivation, techniques and tenacity are different. They are professionals, and their success rate is impressive.”
It also notes, “… we’ve been able to correlate almost every APT intrusion we’ve investigated to current events within China.”
So, the big question is what’s really behind the APT. To understand this, you need to understand the structure and operations of the Chinese Communist Party’s (CCP) spy departments.
The overt spy operations are mainly carried out by two departments. The United Front Work Department works to expand the CCP’s sphere of influence in foreign communities, while the Overseas Chinese Affairs Office works to monitor Chinese living abroad and manage the CCP’s overseas systems of governance.
These departments are important to mention here because, while their focus is spying on individuals living abroad, their operations are aided by CCP cyberspy operations that can give them intel on targeted groups or individuals.
As an example, if the United Front Work Department was trying to butter up a U.S. senator, the CCP’s cyberspies could give them information from the senator’s emails or background check, which they can then use.
When it comes to cyberattacks for economic theft, most of these are attributed to the Third Department of the People’s Liberation Army General Staff Department. The Third Department runs the signals intelligence (SIGINT) operations of the CCP.
Alongside the Third Department is the Second Department, which runs many of the conventional human intelligence (HUMINT) operations. Then there’s the Fourth Department that handles the electronics intelligence (ELINT) operations.
There is a lot of overlap in Chinese spy operations. Physical spies may help the cyberspies by “accidentally” infecting a computer in a company where they’ve been planted. The CCP’s hackers may also help cover the tracks of an insider by launching a cyberattack to make it appear information was stolen by a cyberattack, instead of by the insider spy.
These departments handle the bulk of the CCP’s spy operations under its military, and they run large-scale operations. The Project 2049 Institute think tank estimated in November 2011 there were 130,000 personnel under the Third Department. Wall Street Journal estimated the department has 100,000 hackers, linguists, and analysts.
Both the above estimates, however, were based on earlier pictures of the Third Department, which said it has only 12 operational bureaus. It’s now known the Third Department has at least 20 operational bureaus.
The CCP’s cyberspies are also divided into three tiers, as was detailed in the 2013 edition of “The Science of Military Strategy,” published by a People’s Liberation Army research institute. The details were outlined in March by Joe McReynolds, research analyst at the Center for Intelligence Research and Analysis.
The first tier of the CCP’s cyberspies are military units “employed for carrying out network attack and defense,” McReynolds said. The second tier are specialists in civilian organizations—including with government offices—that are “authorized by the military to carry out network warfare operations.” The third are groups outside the government and military “that can be organized and mobilized for network warfare operations.”
The Chinese military also runs front companies to aid in these operations. The FBI’s former deputy director for counterintelligence said the Chinese regime operates more

This news analysis was originally dispatched as part of Epoch Times China email newsletters. Subscribe to the newsletters by filling your email in the “China D-brief” box under this article.
The first U.S.-China dialogue under a new cybersecurity agreement concluded last week—but what was left unmentioned was much more important than what was said.
According to Xinhua, the official mouthpiece of the Chinese Communist Party, the Chinese representatives claimed they identified the individuals who breached the U.S. Office of Personnel Management (OPM), and explained that “the case turned out to be a criminal case rather than a state-sponsored cyber attack as the U.S. side has previously suspected.”
The statement is unlikely to be a surprise to anyone following cybersecurity. The Chinese regime always denies its involvement in cyberattacks, regardless of evidence. Most interesting is that in a statement giving a brief recap of the meeting, the U.S. Department of Justice gave no mention of the discussion on the OPM hack.
In a way, the Chinese regime has become a boy who cried wolf: it has lied so often that many experts—including many U.S. officials—don’t give its claims much weight.
The Washington Post reported that even prior to the cybersecurity meeting from Dec. 1 to Dec. 2, the Chinese regime claimed it “arrested a handful of hackers it says were connected to the breach” of OPM, yet also cited an unnamed U.S. official stating “we don’t know that if the arrests the Chinese purported to have made are the guilty parties.”
“There is a history [in China] of people being arrested for things they didn’t do or other ‘crimes against the state,’” the official said.
The bilateral meeting between the Chinese Minister of Public Security, the U.S. Secretary of Homeland Security, and the U.S. Attorney General was the first under the new U.S.-China cybersecurity agreement, announced by President Barack Obama and Chinese Communist Party leader Xi Jinping on Sept. 25.
The stance brought to the table by the Chinese representatives was likely well in line with what U.S. officials expected.
John Carlin, assistant attorney general for national security, explained during a Dec. 3 presentation that after the U.S. Department of Justice indicted five Chinese military officers in May 2014 for their involvement in state-run cyberattacks, the Chinese regime altered its line on cybersecurity.
The Chinese regime’s initial response, Carlin said, was of “indignant denials.” Just a year later, however, it’s response moved towards one claiming that they also oppose and combat theft of commercial secrets—and other forms of cyberattacks.
The shift in official line seems to chime with the ancient Chinese saying: “It’s the thief who yells ‘stop thief.’”
Of course, there are plenty of reasons why experts would choose to not believe the Chinese regime’s claims that it arrested hackers, or that it had nothing to do with the breach.
The Chinese regime’s state-sponsored cyberattacks have already been deeply exposed. Most of its military hackers operate out of its General Staff Department, Third Department. In July, the Project 2049 Institute think tank even traced one the Chinese hacker units to a government office in Shanghai.
The OPM breach was tied to several other Chinese state-sponsored cyberattacks, which cybersecurity experts dubbed “Deep Panda.” The same hackers who breached the OPM also breached health insurance company Anthem.
MORE:Murder, Money, and Spies Investigative SeriesCHINA SECURITY: China Reins in Its Hacker Army
The stolen private information is being used by Chinese agencies to build a database on Americans. An insider in China detailed this database, and told Epoch Times that the system for big data analytics is based on the same database the Chinese regime uses for spying on its own people.
It is also possible that Chinese officials were telling a half-truth, and that the hackers behind the OPM breach were not officially under the Chinese regime or its military. But, with bit of background on the Chinese cyber army, this still wouldn’t free them from blame.
The Chinese regime revealed the structure of its cyber army in the 2013 edition of its military publication, “The Science of Military Strategy.” Its cyber army has three tiers: the first being specialized military units, the second being specialists in civilian organizations and government agencies, and the third being groups outside the Chinese regime “that can be organized and mobilized for network warfare operations.”

Rumor has it the Chinese regime will move its cyberwarfare units under a single command structure. Unnamed sources told Bloomberg in mid-October that Chinese cyber units from all departments would be moved under a centralized command under the Central Military Commission.
Changes were allegedly discussed during the Chinese Communist Party’s (CCP) Fifth Plenum, attended by more than 350 top CCP officials, where they lay out the new five-year economic plan.
Bloomberg followed with some interesting analysis, but in my opinion, it missed the mark. First of all, the Chinese regime already has a command structure for its cyber departments, which on the surface—and under proposed changes—is headed by the Central Military Commission. Second, proposals for the new Chinese military structure give a much more complex picture of how its cyber units will be managed.
As things stand now, the CCP’s cyber units are broken into three tiers. The structure, which is already under the Central Military Commission, was detailed in the latest edition of The Science of Military Strategy, published by the top research institute of the People’s Liberation Army (PLA). While the document was released in 2013, details on the cyber structure were only reported in the West in March this year.
At the top of the cyber structure are the specialized PLA military units assigned to attack and defend networks. Next are the specialists in civilian organizations—including the the Ministry of State Security and the Ministry of Public Security—that are “authorized by the military to carry out network warfare operations.” The third tier are groups outside the regime, which presumably include nationalistic hackers (often known as “Patriot Hackers”), that can be called on for cyber operations when needed.
The Central Military Commission is technically in charge of these units, but when it comes to actual power within the PLA, things aren’t that simple.
According to the surface structure, the Central Military Commission heads the General Staff Department, which in turn heads the hacker units under its Third Department. In an investigative report in September, however, Epoch Times revealed that the real power behind the PLA hackers is the 61 Research Department of the Third Department.
The 61 Research Institute is led by Maj. Gen. Wang Jianxin, son of Wang Zheng who pioneered the CCP’s signals intelligence operations under Mao Zedong. Sources told Epoch Times that while Wang’s department is several tiers below the Central Military Commission, he’s an extremely powerful man.
This is where the new structure comes into play. It ties into plans to restructure the entire PLA, and cut 300,000 troops, announced by CCP leader Xi Jinping in early September.
Shortly after the announcement, South China Morning Post—which has been growing increasingly close to the Chinese regime—released an infographic showing a proposal for the new structure.
Under the current system, most of the military is controlled by the Central Military Commission, with some power shared with the State Council through its joint influence over the Ministry of National Defense.
With the new structure, however, a large chunk of military units would be placed under the Ministry of National Defense—which means the State Council would have more of a hand in their operations.
The State Council is technically the government of China, but it’s still controlled by the CCP.
Meanwhile, the unit in charge of the hackers—the General Staff Department—would be given command over three other departments: General Political Department, General Logistics Department, and the General Armaments Department.
In an odd knot, control of those same three departments will be shared under the Ministry of National Defense. And oddly, also under the Ministry of National Defense will be some departments with ties to cyberespionage. Among them are the regional defense and research departments, the National Defense University, the Academy of Military Science, and the National University of Defense Technology.
In other words, the military hackers would officially remain under the Central Military Commission, but departments tied to their operations would be jointly controlled by an office managed by both the Central Military Commission and the State Council.
Keep in mind, these are still just proposals. But it appears the changes aren’t meant to consolidate command of the CCP’s hackers. Instead, it looks like the changes are designed to reign in the hackers by giving the State Council some indirect sway over their actions. Several sources have told Epoch Times that the Chinese regime has trouble controlling finances tied to military hackers, and this has caused forms of corruption that the leadership wishes to stem.
The new system would give the State Council—the highest executive agency in the Chinese state (though of course below the Politburo Standing Committee)—more oversight. This puts the infrastructure for economic theft under the Ministry of Defense, while giving more government oversight over the activities, thus depriving the PLA of some of its autonomy.